{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Rare Parent/Child Process Relationship\n",
    "\n",
    "An attacker may use LOLBAS tools spawned from vulnerable applications not typically used by system administrators. This search leverages the Splunk Streaming ML DSP plugin to find rare parent/child relationships. The list of application has been extracted from https://github.com/LOLBAS-Project/LOLBAS/tree/master/yml/OSBinaries\n",
    "\n",
    "https://github.com/splunk/security-content/blob/unit_test_prohibited_apps_spawning_cmdprompt/detections/endpoint/rare_parent_process_relationship_lolbas___ssa.yaml"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 22,
   "metadata": {
    "execution": {
     "iopub.execute_input": "2020-10-15T21:50:56.862479Z",
     "iopub.status.busy": "2020-10-15T21:50:56.862220Z",
     "iopub.status.idle": "2020-10-15T21:51:06.101230Z",
     "shell.execute_reply": "2020-10-15T21:51:06.100748Z",
     "shell.execute_reply.started": "2020-10-15T21:50:56.862456Z"
    }
   },
   "outputs": [
    {
     "data": {
      "application/vnd.jupyter.widget-view+json": {
       "model_id": "38a2bbfe856f4bf797b49f98bb92e6be",
       "version_major": 2,
       "version_minor": 0
      },
      "text/plain": [
       "HBox(children=(HTML(value=''), FloatProgress(value=0.0, max=5.0), HTML(value='')))"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      " Finished.                     "
     ]
    },
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>input</th>\n",
       "      <th>start_time</th>\n",
       "      <th>dest_device_id</th>\n",
       "      <th>entities</th>\n",
       "      <th>process_name</th>\n",
       "      <th>quantile</th>\n",
       "      <th>end_time</th>\n",
       "      <th>label</th>\n",
       "      <th>parent_process</th>\n",
       "      <th>body</th>\n",
       "      <th>timestamp</th>\n",
       "      <th>dest_user_id</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>7.666667</td>\n",
       "      <td>2020-09-24 17:00:13</td>\n",
       "      <td>5gUXDbXvVfgC/FEpZOFUaA==</td>\n",
       "      <td>[5gUXDbXvVfgC/FEpZOFUaA==]</td>\n",
       "      <td>powershell.exe</td>\n",
       "      <td>0.000000</td>\n",
       "      <td>2020-09-24 17:00:13</td>\n",
       "      <td>True</td>\n",
       "      <td>c:\\windows\\system32\\cmd.exe</td>\n",
       "      <td>TBD</td>\n",
       "      <td>2020-09-24 17:00:13</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>1.164725</td>\n",
       "      <td>2020-09-24 17:15:12</td>\n",
       "      <td>5gUXDbXvVfgC/FEpZOFUaA==</td>\n",
       "      <td>[5gUXDbXvVfgC/FEpZOFUaA==]</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>0.082919</td>\n",
       "      <td>2020-09-24 17:15:12</td>\n",
       "      <td>True</td>\n",
       "      <td>c:\\program files\\splunkforwarderforsplunkinc\\b...</td>\n",
       "      <td>TBD</td>\n",
       "      <td>2020-09-24 17:15:12</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>1.164228</td>\n",
       "      <td>2020-09-24 17:17:12</td>\n",
       "      <td>5gUXDbXvVfgC/FEpZOFUaA==</td>\n",
       "      <td>[5gUXDbXvVfgC/FEpZOFUaA==]</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>0.081037</td>\n",
       "      <td>2020-09-24 17:17:12</td>\n",
       "      <td>True</td>\n",
       "      <td>c:\\program files\\splunkforwarderforsplunkinc\\b...</td>\n",
       "      <td>TBD</td>\n",
       "      <td>2020-09-24 17:17:12</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>1.161742</td>\n",
       "      <td>2020-09-24 17:18:04</td>\n",
       "      <td>IaNYgFTNQvyVmJNuPr58dQ==</td>\n",
       "      <td>[IaNYgFTNQvyVmJNuPr58dQ==]</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>0.083721</td>\n",
       "      <td>2020-09-24 17:18:04</td>\n",
       "      <td>True</td>\n",
       "      <td>c:\\program files\\splunkforwarderforsplunkinc\\b...</td>\n",
       "      <td>TBD</td>\n",
       "      <td>2020-09-24 17:18:04</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>1.158295</td>\n",
       "      <td>2020-09-24 17:18:12</td>\n",
       "      <td>5gUXDbXvVfgC/FEpZOFUaA==</td>\n",
       "      <td>[5gUXDbXvVfgC/FEpZOFUaA==]</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>0.057663</td>\n",
       "      <td>2020-09-24 17:18:12</td>\n",
       "      <td>True</td>\n",
       "      <td>c:\\program files\\splunkforwarderforsplunkinc\\b...</td>\n",
       "      <td>TBD</td>\n",
       "      <td>2020-09-24 17:18:12</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>...</th>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1799</th>\n",
       "      <td>6.918486</td>\n",
       "      <td>2020-09-25 19:46:23</td>\n",
       "      <td>ZTQ/ltGlScpA4WGbfRJ0Xg==</td>\n",
       "      <td>[ZTQ/ltGlScpA4WGbfRJ0Xg==]</td>\n",
       "      <td>sc.exe</td>\n",
       "      <td>0.000843</td>\n",
       "      <td>2020-09-25 19:46:23</td>\n",
       "      <td>True</td>\n",
       "      <td>c:\\windows\\system32\\svchost.exe</td>\n",
       "      <td>TBD</td>\n",
       "      <td>2020-09-25 19:46:23</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1800</th>\n",
       "      <td>8.567270</td>\n",
       "      <td>2020-09-25 16:49:46</td>\n",
       "      <td>lQ+9FBHxYQK/q8qXcrTE9A==</td>\n",
       "      <td>[lQ+9FBHxYQK/q8qXcrTE9A==]</td>\n",
       "      <td>sc.exe</td>\n",
       "      <td>0.000841</td>\n",
       "      <td>2020-09-25 16:49:46</td>\n",
       "      <td>True</td>\n",
       "      <td>c:\\windows\\system32\\svchost.exe</td>\n",
       "      <td>TBD</td>\n",
       "      <td>2020-09-25 16:49:46</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1801</th>\n",
       "      <td>9.991479</td>\n",
       "      <td>2020-09-25 16:50:30</td>\n",
       "      <td>IaNYgFTNQvyVmJNuPr58dQ==</td>\n",
       "      <td>[IaNYgFTNQvyVmJNuPr58dQ==]</td>\n",
       "      <td>sc.exe</td>\n",
       "      <td>0.003361</td>\n",
       "      <td>2020-09-25 16:50:30</td>\n",
       "      <td>True</td>\n",
       "      <td>c:\\windows\\system32\\svchost.exe</td>\n",
       "      <td>TBD</td>\n",
       "      <td>2020-09-25 16:50:30</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1802</th>\n",
       "      <td>5.403934</td>\n",
       "      <td>2020-09-26 05:00:40</td>\n",
       "      <td>OWUYaWKrJeuOY71+TXoqiw==</td>\n",
       "      <td>[OWUYaWKrJeuOY71+TXoqiw==]</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>0.000000</td>\n",
       "      <td>2020-09-26 05:00:40</td>\n",
       "      <td>True</td>\n",
       "      <td>c:\\program files\\splunkuniversalforwarder\\bin\\...</td>\n",
       "      <td>TBD</td>\n",
       "      <td>2020-09-26 05:00:40</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1803</th>\n",
       "      <td>0.035648</td>\n",
       "      <td>2020-09-26 05:06:18</td>\n",
       "      <td>OWUYaWKrJeuOY71+TXoqiw==</td>\n",
       "      <td>[OWUYaWKrJeuOY71+TXoqiw==, rXYtTmzIXq56PqQ+iNO...</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>0.000000</td>\n",
       "      <td>2020-09-26 05:06:18</td>\n",
       "      <td>True</td>\n",
       "      <td>c:\\windows\\system32\\cmd.exe</td>\n",
       "      <td>TBD</td>\n",
       "      <td>2020-09-26 05:06:18</td>\n",
       "      <td>rXYtTmzIXq56PqQ+iNO/xw==</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>1804 rows × 12 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "         input  ...              dest_user_id\n",
       "0     7.666667  ...                       NaN\n",
       "1     1.164725  ...                       NaN\n",
       "2     1.164228  ...                       NaN\n",
       "3     1.161742  ...                       NaN\n",
       "4     1.158295  ...                       NaN\n",
       "...        ...  ...                       ...\n",
       "1799  6.918486  ...                       NaN\n",
       "1800  8.567270  ...                       NaN\n",
       "1801  9.991479  ...                       NaN\n",
       "1802  5.403934  ...                       NaN\n",
       "1803  0.035648  ...  rXYtTmzIXq56PqQ+iNO/xw==\n",
       "\n",
       "[1804 rows x 12 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "\n"
     ]
    },
    {
     "data": {
      "text/plain": [
       "<spl2_kernel.spl2_runner.SPL2Job at 0x7f787a8f4610>"
      ]
     },
     "execution_count": 22,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "| from read_text(\"s3://smle-experiments/datasets/ssa/T1059.all.labeled.lolbas-test.json\")\n",
    "| select from_json_object(value) as input_event\n",
    "| eval timestamp=ucast(map_get(input_event, \"_time\"), \"long\", null)\n",
    "| eval parent_process=lower(ucast(map_get(input_event, \"parent_process_name\"), \"string\", null)), \n",
    "process_name=lower(ucast(map_get(input_event, \"process_name\"), \"string\", null)), \n",
    "dest_user_id=ucast(map_get(input_event, \"dest_user_id\"), \"string\", null), \n",
    "dest_device_id=ucast(map_get(input_event, \"dest_device_id\"), \"string\", null)\n",
    "| where parent_process!=null \n",
    "| select parent_process, process_name, timestamp, dest_device_id, dest_user_id \n",
    "| conditional_anomaly conditional=\"parent_process\" target=\"process_name\" \n",
    "| rename output as input \n",
    "| adaptive_threshold algorithm=\"quantile\" entity=\"parent_process\" value=\"input\" window=604800000L \n",
    "| where label AND quantile<0.1 AND (process_name=\"powershell.exe\" OR process_name=\"regsvcs.exe\" OR process_name=\"ftp.exe\" OR process_name=\"dfsvc.exe\" OR process_name=\"rasautou.exe\" OR process_name=\"schtasks.exe\" OR process_name=\"xwizard.exe\" OR process_name=\"findstr.exe\" OR process_name=\"esentutl.exe\" OR process_name=\"cscript.exe\" OR process_name=\"reg.exe\" OR process_name=\"csc.exe\" OR process_name=\"atbroker.exe\" OR process_name=\"print.exe\" OR process_name=\"pcwrun.exe\" OR process_name=\"vbc.exe\" OR process_name=\"rpcping.exe\" OR process_name=\"wsreset.exe\" OR process_name=\"ilasm.exe\" OR process_name=\"certutil.exe\" OR process_name=\"replace.exe\" OR process_name=\"mshta.exe\" OR process_name=\"bitsadmin.exe\" OR process_name=\"wscript.exe\" OR process_name=\"ieexec.exe\" OR process_name=\"cmd.exe\" OR process_name=\"microsoft.workflow.compiler.exe\" OR process_name=\"runscripthelper.exe\" OR process_name=\"makecab.exe\" OR process_name=\"forfiles.exe\" OR process_name=\"desktopimgdownldr.exe\" OR process_name=\"control.exe\" OR process_name=\"msbuild.exe\" OR process_name=\"register-cimprovider.exe\" OR process_name=\"tttracer.exe\" OR process_name=\"ie4uinit.exe\" OR process_name=\"sc.exe\" OR process_name=\"bash.exe\" OR process_name=\"hh.exe\" OR process_name=\"cmstp.exe\" OR process_name=\"mmc.exe\" OR process_name=\"jsc.exe\" OR process_name=\"scriptrunner.exe\" OR process_name=\"odbcconf.exe\" OR process_name=\"extexport.exe\" OR process_name=\"msdt.exe\" OR process_name=\"diskshadow.exe\" OR process_name=\"extrac32.exe\" OR process_name=\"eventvwr.exe\" OR process_name=\"mavinject.exe\" OR process_name=\"regasm.exe\" OR process_name=\"gpscript.exe\" OR process_name=\"rundll32.exe\" OR process_name=\"regsvr32.exe\" OR process_name=\"regedit.exe\" OR process_name=\"msiexec.exe\" OR process_name=\"gfxdownloadwrapper.exe\" OR process_name=\"presentationhost.exe\" OR process_name=\"regini.exe\" OR process_name=\"wmic.exe\" OR process_name=\"runonce.exe\" OR process_name=\"syncappvpublishingserver.exe\" OR process_name=\"verclsid.exe\" OR process_name=\"psr.exe\" OR process_name=\"infdefaultinstall.exe\" OR process_name=\"explorer.exe\" OR process_name=\"expand.exe\" OR process_name=\"installutil.exe\" OR process_name=\"netsh.exe\" OR process_name=\"wab.exe\" OR process_name=\"dnscmd.exe\" OR process_name=\"at.exe\" OR process_name=\"pcalua.exe\" OR process_name=\"cmdkey.exe\" OR process_name=\"msconfig.exe\")\n",
    "| eval start_time = timestamp, end_time = timestamp, entities = mvappend(dest_device_id, dest_user_id), body = \"TBD\";"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": []
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "SPL2",
   "language": "SPL",
   "name": "spl2"
  },
  "language_info": {
   "mimetype": "text/spl",
   "name": "SPL"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}
